Last updated: 2026-04-16
StillDeck (“we”, “us”, “our”) is a free online Klondike solitaire game operated by MN Media s.r.o. This policy explains what data we collect, why, and what choices you have.
We keep things simple: your game runs locally, we collect minimal analytics only with your consent, and we never show ads or sell data.
What we collect and why
Without an account (default)
Your entire game — cards, moves, score, settings, and statistics — is stored locally in your browser using localStorage. No data is sent to our servers. We assign a pseudonymous device identifier (a random UUID stored in localStorage) solely so that if you later create an account, we can merge your local stats with the server copy without duplicating them.
With an optional account
If you choose to sign in (email magic-link, no password), we additionally store:
- Your email address — to authenticate you and send the sign-in link.
- Game results (win/loss, time, moves, score per game) — to sync statistics across your devices.
- Settings JSON (theme, draw mode, accessibility preferences) — to sync preferences.
- Device identifier — linked to your account to prevent duplicate stat merges.
After analytics consent
If you accept analytics cookies, Google Analytics 4 collects:
- Truncated IP address (last octet zeroed by GA4 default).
- User-agent string, screen resolution, browser language.
- Pages visited, feature-usage events (e.g. “started game”, “changed theme”).
After session replay consent
If you accept session replay cookies, Hotjar collects:
- Anonymized IP address.
- Clicks, scrolls, and cursor movements.
- Page content snapshots (email addresses and input fields are suppressed via data-hj-suppress).
Legal bases for processing
Under the GDPR we rely on the following legal bases:
- Consent — Art. 6(1)(a) — Analytics (GA4) and session replay (Hotjar). You can withdraw consent at any time via the cookie banner or the Settings panel.
- Performance of a contract — Art. 6(1)(b) — Storing your game state, settings, and statistics locally; account creation and cross-device sync when you choose to sign in.
- Legitimate interest — Art. 6(1)(f) — Security logging, fraud prevention, and maintaining service reliability. We balance our interest against your rights by minimizing the data collected and retaining it only as long as necessary.
Sub-processors
We share data with the following third-party processors:
| Name | Purpose | Location | Transfer basis | DPA / Privacy |
|---|---|---|---|---|
| Supabase, Inc. | Account storage: email, game results, settings | EU (Ireland, AWS eu-west-1) | No cross-border transfer (EU-only) | DPA / Privacy |
| Google LLC (Google Analytics 4) | Aggregate traffic measurement and feature usage | United States | EU Standard Contractual Clauses (2021/914) | DPA / Privacy |
| Hotjar Ltd (Contentsquare Group) | Session replay and heatmaps for UX optimization | Malta / United States | EU Standard Contractual Clauses (2021/914) | DPA / Privacy |
Cookies and local storage
StillDeck uses localStorage (not HTTP cookies) for essential data, plus third-party cookies for analytics and replay if you consent.
Outside the EU, EEA, UK, and Switzerland, analytics and session replay are enabled by default. You can opt out at any time via Settings → Privacy & data.
| Name | Provider | Purpose | Expiry | Category |
|---|---|---|---|---|
stilldeck:consent:v1 | StillDeck (localStorage) | Stores your cookie consent choice | Persistent | Essential |
solitaire:game:v1 | StillDeck (localStorage) | Saves your in-progress game | Persistent | Essential |
solitaire:settings:v1 | StillDeck (localStorage) | Remembers theme, card size, accessibility | Persistent | Essential |
solitaire:stats:v1 | StillDeck (localStorage) | Stores local game statistics and streaks | Persistent | Essential |
solitaire:device:v1 | StillDeck (localStorage) | Pseudonymous device ID for stats merge | Persistent | Essential |
stilldeck:last-locale:v1 | StillDeck (localStorage) | Remembers preferred language | Persistent | Essential |
sb-*-auth-token | Supabase (cookie/localStorage) | Keeps you signed in | Until sign-out or 30 days | Essential |
_ga | Google Analytics | Distinguishes unique visitors | 2 years | Analytics |
_ga_QZR4D0GWW5 | Google Analytics | Maintains GA4 session state | 2 years | Analytics |
_hjSessionUser_6689617 | Hotjar | Unique visitor ID for session replay | 365 days | Session replay |
_hjSession_6689617 | Hotjar | Current Hotjar session ID | 30 minutes | Session replay |
_hjIncludedInSessionSample_6689617 | Hotjar | Sample inclusion flag | 2 minutes | Session replay |
_hjFirstSeen | Hotjar | First-time vs returning visitor flag | Session | Session replay |
International transfers
Essential data (account storage) stays within the EU (Supabase, AWS eu-west-1). Analytics and session-replay data may be transferred to the United States under the EU Standard Contractual Clauses (Commission Implementing Decision 2021/914). You can prevent these transfers by declining analytics and replay cookies.
How long we keep your data
We retain data only as long as necessary for the purposes described above.
- Account email: Retained for the life of your account. Deleted within 30 days of account deletion.
- Game results (server): Retained for the life of your account. Deleted together with your account.
- Settings (server): Retained for the life of your account. Deleted together with your account.
- Device identifier: Tied to account lifetime. Stored locally until you clear browser storage.
- Google Analytics: Google Analytics default retention: 14 months for user-level data.
- Session recordings: Session recordings retained up to 365 days, then auto-deleted.
- Local storage (browser): Retained until you clear your browser storage.
Your rights
Under the GDPR you have the right to:
- Access — request a copy of the personal data we hold about you.
- Rectification — correct inaccurate personal data.
- Erasure — request deletion of your data (“right to be forgotten”).
- Restriction — ask us to limit how we process your data.
- Portability — receive your data in a structured, machine-readable format.
- Object — object to processing based on legitimate interest.
You also have the right to lodge a complaint with your local data protection authority. For users in Czechia, this is the Office for Personal Data Protection (ÚOOU).
Withdrawing consent
You can withdraw consent for analytics and session replay at any time by opening the cookie banner from the footer (“Cookie settings”) or from the Settings panel inside the game. Withdrawal does not affect the lawfulness of processing based on consent before its withdrawal.
Children’s privacy
StillDeck is a general-audience card game. We do not knowingly collect personal data from children under 16. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.
Changes to this policy
We may update this policy from time to time. Material changes will be communicated through a consent re-prompt (by incrementing the consent version). The “Last updated” date at the top of this page always reflects the latest revision.
Contact us
If you have questions about this policy or want to exercise your rights, email us at hello@stilldeck.com. We aim to respond within 30 days.
Data controller
The data controller for StillDeck is:
MN Media s.r.o.
Varšavská 715/36, Vinohrady, 120 00 Praha 2, Czechia
hello@mnmedia.io